synapse unsync

snmp - the Simple Network Management Protocol is anything but as I discovered while trying to monitor status on remote devices. The story so far …

Some background on snmpwalk

snmpwalk is a very useful tool to explore what snmp information is available from an snmp enabled device. To use snmpwalk, on a commandline enter:

snmpwalk -Os -v [1|2c|3] -c community host [ OID ]

-Os means print only last symbolic element of OID
-v is the snmp version identifier
-c is the snmp community
host is the ipaddress of the snmp agent you want to query
OID is an optional item which identifies a specific branch of the mib for the device. If given only the values under that branch will be printed.

You can use snmpwalk --help to get a full list of options for snmpwalk.
By default an snmp agent listens on UDP port 161 and traps are handled through UDP port 162. If the agent you want to query is not listening on UDP port 161 then you may need to specifiy the agent ip-address and port in the format host:port-number.

Turning snmp on in a Cisco ASA

#
# allow host #.#.#.# to poll through the ASA's outside interface for snmp
# community "public" using snmp version 2. Refers to the contents of the
# standard MIB-II which is sometimes referred to as RFC1213-MIB
snmp-server host outside #.#.#.# poll community public version 2c
#
# as far as I can see this is informational
snmp-server location MyServerRoom
#
# sets the text for mib object sysContact
snmp-server contact Me
#
# set the snmp community
snmp-server community public
#
# enables the specified snmp traps
snmp-server enable traps snmp authentication linkup linkdown coldstart


No comments »

I’ve been looking for a renewable energy system that ties in with the normal power grid for our office and this grid tie system at xantrex looks very interesting. Also look at Solar Online Australia for some local resources.

More when I can take this idea further …

No comments »

This will add spam and av scanning to Exim4 configuration at smtp time - note it does not use Exiscan. It will also add a ***SPAM*** marker to the subject line of mails whose spam score is between our minimum spam threshold and the upper spam threshold above which spam mail will be automatically rejected. Exim will also check DNSBLs for known spam sources. This configuration has been tested with Exim 4.63. These steps also assume that your have spamassassin and clamav installed, configured and working. If your settings for these very from my examples below you will need to adjust things as required. Now on to the configuration …

In the Main configuration section of exim.conf

• add the av scanner. This assumes you have installed clamav, the path to the socket in clamd’s configuration must match the path you specify here:
  

  av_scanner = clamd:/var/run/clamd.exim/clamd.sock

• add spamd, by default spamd listens on port 783. If your spamd is using a different socket then change this as appropriate:
  

  spamd_address = 127.0.0.1 783

• add in a system filter. We will use the system filter to rewrite the subject line on mails which are identified as spam. If you put the system filter in a different location or name the file differently adjust this entry as needed:
  

  system_filter = /etc/exim/system.filter

  For our purposes a system filter can be quite simple, all it does it to rewrite the subject line of spam emails …

  if $header_X-Spam-Flag: contains "YES"
then
headers remove subject
headers add "Subject: $h_X-Spam-Subject:"
endif


In the “begin acl” section of your exim.conf file find the “acl_check_rcpt:” acl. There are several sections in this acl which are processed in order. There should be a section that looks like:

accept hosts =+relay_from_hosts
= submission


• add the DNSBL processing:
  

  deny message = DNSBL listed at $dnslist_domain\n$dnslist_text
dnslists = zen.spamhaus.org:bl.spamcop.net:cbl.abuseat.org:psbl.surriel.com

Now find the acl_check_data: acl

• near the top add the virus scanner check:
  

  deny malware = *
message = This message contains a virus ($malware_name).

• next we start our spam handling - if the email is too large just let it in, the spamassassin processing for large emails is very demanding, also typical spam emails are not large. In this case we will allow messages larger than 100000 bytes through as they are relatively unlikely to be spam
  

  accept condition = ${if >= {$message_size}{100000} {1}}
add_header = X-Spam-Note: Spamassassin run bypassed due to message size

• next we allow spamassassin to fail or time out
  

  warn spam = nobody/defer_ok
add_header = X-Spam-Flag: YES

• now add an X-Spam-Report header for messages <80k in size
  

  warn condition = ${if <{$message_size}{80k}{1}{0}}
message = X-Spam-Report: $spam_report
spam = nobody:true

• add a note if spamassassin invocation fails
  

  accept condition = ${if !def:spam_score_int {1}}
add_header = X-Spam-Note: Spamassassin invocation failed

• add the X-Spam headers if the spam score is above the minimum
  

  warn condition = ${if >{$spam_score_int}{45}{1}}
add_header = X-Spam-Subject: ***SPAM*** $h_subject
add_header = X-Spam-Bar: $spam_bar
add_header = X-Spam-Flag: YES
add_header = X-Spam-Report: $spam_report


• reject all mail with a spamscore above your “reject because it’s total rubbish, I never want to read it” maximum spam score
  

  deny condition = ${if >{$spam_score_int}{110} {1}}
message = Your message scored $spam_score SpamAssassin point. Report follows:\n\
$spam_report


• the last line in this acl should be to accept any mail which has passed our anti-virus and spam testing so
  

  accept

… and that is it. The DNSBLs I use I’ve found to be reliable and have an almost 0% rejection of non-spam emails but your mileage might vary so experiment to find the ones which suit you the best (it could be worth checking out the article “Which ones work well” at www.dnsbl.com as a starting point). To check how things are running you can tail the exim log file (tail -f /var/log/exim/main.log)

No comments »

I wanted to install an anti-virus scanner to work with my smtp server (exim) and since I couldn’t find a centos repository that included clamav and didn’t want to spend hours searching I just downloaded the source and installed from scratch. To do this you will need to have a compiler and development libraries installed. The steps I followed were:

• Create the clamav user and group
  

  sudo groupadd clamav
sudo useradd -g clamav -c "clamav user" -d /var/clamav -s /sbin/nologin -m clamav

• Download the source from http://www.clamav.net into a working directory and unpack (eg. tar zxvf clamav-0.93.tar.gz) which will create a source code directory called clamav-0.93 under your working directory.
• cd into the source code directory and execute ./configure in my case I didn’t want to change any of the defaults and wanted to install clamav into /usr/local which is the default location. The output will tell you if there are any missing prerequisites such as zlib. If there are any missing prerequisites then I recommend that you install them first and then start to build and install clamav.
• Execute make which will compile the clamav source with the configuration options from above.
• Install clamav
  

  sudo make install

• Edit the clamd.conf file in /usr/local/etc and set appropriate values for the various configuration items. My clamd.conf has the following settings:
  

  LogFile /tmp/clamd.log
LogFileUnlock yes
LogFileMaxSize 2M
LogTime yes
LogClean yes
LogSyslog yes
PidFile /var/run/clamd.pid
LocalSocket /var/run/clamd.exim/clamd.sock
FixStaleSocket yes
MaxRecursion 128
MaxFileSize 15M
MaxFiles 1500

  for all other settings I accepted the defaults.

• Configure /usr/local/etc/fresclam.conf - the settings I changed in my freshclam.conf were:
  

  UpdateLogFile /var/log/freshclam.log
LogTime yes
LogSyslog yes
PidFile /var/run/freshclam.pid
DatabaseMirror database.clamav.net
NotifyClamd /usr/local/etc/clamd.conf

  all other settings were at their default values

• Run freshclam once manually to seed the virus signatures in the database. Execute /usr/local/bin/freshclam
• For normal operations I also set freshclam to run once per hour by adding it to my crontab
  

  8 0-23 * * * /usr/local/bin/freshclam 2>&1

• Create a script to automatically start clamd on a system reboot in /etc/init.d. My /etc/init.d/clamd script is:
  

  
#! /bin/sh
#
### BEGIN INIT INFO
# Provides: clamd
# Required-Start: $syslog $network clamd
# X-UnitedLinux-Should-Start:
# Required-Stop: $syslog $network clamd
# X-UnitedLinux-Should-Stop:
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: anti virus scan mails
# Description: Start clamd
### END INIT INFO
#

  # Check for missing binaries (stale symlinks should not happen)
  # Note: Special treatment of stop for LSB conformance
  CLAMD_BIN=/usr/local/sbin/clamd
  CLAMD_CONFIG=/usr/local/etc/clamd.conf
  CLAMD_PID_FILE=/var/run/clamd.pid

  test -x $CLAMD_BIN || { echo "$CLAMD_BIN not installed";
  if [ "$1" = "stop" ]; then exit 0;
  else exit 5; fi; }

  # Check for existence of needed config file and read it
  test -r $CLAMD_CONFIG || { echo “$CLAMD_CONFIG not existing”;
  if [ "$1" = "stop" ]; then exit 0;
  else exit 6; fi; }

  # Shell functions sourced from /etc/rc.status:
  # rc_check check and set local and overall rc status
  # rc_status check and set local and overall rc status
  # rc_status -v be verbose in local rc status and clear it afterwards
  # rc_status -v -r ditto and clear both the local and overall rc status
  # rc_status -s display “skipped” and exit with status 3
  # rc_status -u display “unused” and exit with status 3
  # rc_failed set local and overall rc status to failed
  # rc_failed set local and overall rc status to
  # rc_reset clear both the local and overall rc status
  # rc_exit exit appropriate to overall rc status
  # rc_active checks whether a service is activated by symlinks
  # rc_splash arg sets the boot splash screen to arg (if active)
  . /etc/rc.status

  # Reset status of this service
  rc_reset

  # Return values acc. to LSB for all commands but status:
  # 0 - success
  # 1 - generic or unspecified error
  # 2 - invalid or excess argument(s)
  # 3 - unimplemented feature (e.g. “reload”)
  # 4 - user had insufficient privileges
  # 5 - program is not installed
  # 6 - program is not configured
  # 7 - program is not running
  # 8–199 - reserved (8–99 LSB, 100–149 distrib, 150–199 appl)
  #
  # Note that starting an already running service, stopping
  # or restarting a not-running service as well as the restart
  # with force-reload (in case signaling is not supported) are
  # considered a success.

  case “$1″ in
  start)
  echo -n “Starting clamd”
  $CLAMD_BIN 2>&1

  # Remember status and be verbose
  rc_status -v
  ;;
  stop)
  echo -n “Shutting down clamd”
  CLAMD_PID=`/usr/bin/head -n 1 ${CLAMD_PID_FILE}`
  kill -TERM ${CLAMD_PID}

  # Remember status and be verbose
  rc_status -v
  ;;
  restart)
  ## Stop the service and regardless of whether it was
  ## running or not, start it again.
  $0 stop
  $0 start

  # Remember status and be quiet
  rc_status -v
  ;;
  reload)
  echo -n “Reload service clamd”
  $CLAMD_PID=`head -n 1 ${CLAMD_PID_FILEi}`
  kill -HUP ${CLAMD_PID}
  rc_status -v

  ## Otherwise:
#$0 stop && $0 start
#rc_status
;;
*)
echo “Usage: $0 {start|stop|restart|reload}”
exit 1
;;
esac
rc_exit


• Now make a link from the /etc/init.d/clamd script to the runlevel startup directories. Try
  

  chkconfig clamd on

  or possibly

  ln -s /etc/init.d/clamd /etc/rc3.d/S99clamd
ln -s /etc/init.d/clamd /etc/rc5.d/S99clamd

• Now start clamd
  

  /etc/init.d/clamd start

No comments »

Yes, it’s one of mine. It’s the entrance to Tuross Lake looking across the sandbar to the Pacific Ocean. Taken earlier this year (2008), the weather was fantastic.

Neil

No comments »

dmapi is the data management api defined in the X/Open document “Systems Management Data Storage Management API dated Feb 1997. XFS, IBM JFS, VxFS, AdvFS and GPFS file systems support DMAPI for Hierarchical Storage Management

No comments »

• Open the /etc/yum.repos.d/CentOS-BASE.repo file in your favourite text editor.
• Find the [centosplus] section and set (Note: Ignore quotes) “enabled=1” then add the line “includepkgs=kernel* xfs” kmod* dmapi*”
• You can now list the available (eg. xfs related) packages using “yum list available *xfs*”

No comments »

First off I should say that my test system is pretty ancient being an AMD Duron with 512MB ram so if you are installing onto something more modern your mileage on the actual commands may vary. If you are using an x86_64 system you will need to enable the CentosPlus repository. For i386/i686 the modules you need are in the extras repository so no changes to the /etc/yum.repos.d/CentOS-Base.repo file are required. Also I refer to directories and devices on my hardware, you should replace these references with those for your own system as appropriate.

(1) Obtaining the xfs modules

This assumes you are logged into Centos and have a command prompt…

At a command prompt execute

yum list available *xfs*

and you should see something like the following output

Loading "installonlyn" plugin
Setting up repositories
base 100% |=========================| 1.1 kB 00:00
updates 100% |=========================| 951 B 00:00
addons 100% |=========================| 951 B 00:00
extras 100% |=========================| 1.1 kB 00:00
Reading repository metadata in from local files
Available Packages
kmod-xfs.i686 0.4-1.2.6.18_53.1.14.e extras
kmod-xfs-PAE.i686 0.4-1.2.6.18_53.1.14.e extras
kmod-xfs-xen.i686 0.4-1.2.6.18_53.1.14.e extras
xfsdump.i386 2.2.46-1.el5.centos extras
xfsprogs.i386 2.9.4-1.el5.centos extras
xfsprogs-devel.i386 2.9.4-1.el5.centos extras
xorg-x11-xfs.i386 1:1.0.2-4 base
xorg-x11-xfs-utils.i386 1:1.0.2-4 base

The modules I loaded were kmod-xfs.i686, xfsdump.i386, xfsprogs.i386 and dmapi so execute the command

yum install kmod-xfs.i686 xfsdump.i386 xfsprogs.i386 dmapi

(2) Creating an XFS filesystem

• Use fdisk or parted to create a new partition from unused space on your hard disk. You will need to check the man pages for exact details. If you are converting an existing partition to xfs then see (3) below.
• Format the new filesystem for xfs with a command like mkfs.xfs <filesystem> eg. for a partition /dev/had3 the command would be

mkfs.xfs /dev/hda3

• You can provide a number of parameters to mkfs.xfs to set various options so it may be worth reading the man pages for mkfs.xfs.
• Create a mountpoint for the new filesystem

mkdir /mymount

• Edit /etc/fstab and add a line something like

/dev/hda3 /mymount xfs defaults 1 1

which basically means “mount the block special device /dev/hda3 on the /opt mountpoint”. This is an xfs filesystem which uses the default mount options, the filesystem does not need to be dumped but fsck can check the filesystem after it has checked the root filesystem”.

• Mount your new filesystem

mount /mymount

The mount command will read the mount options from the fstab line that refers to the /mymount mountpoint.

• You can now access the new filesystem at /mymount

(3) Converting and existing filesystem to xfs. For the purposes of these notes we will assume that /dev/hda3 is mounted on /opt formatted as ext3.

• Make a backup of any data currently on the partition you want to convert to xfs.
• Unmount the /opt partition

umount /opt

• Format the partition as XFS

mkfs.xfs -f /dev/hda3

• edit /etc/fstab
  • If you are not using LVM or your system does not use volume labels to identify partitions find the entry for /dev/hda3 and change the third item on that line of the fstab file from ext3 to xfs.
  • If you have LVM2 partitions you are probably using volume labels in your fstab file in which case I suggest that you format the partition using the command mkfs.xfs -f -L /opt /dev/hda3 then find the line in fstab that starts with “LABEL=/opt” and change the third item on that line from ext3 to xfs
• Remount the partition

mount /opt

• Restore the data you backed up in the first point above.

Congratulations, you should now have a working XFS partition that will automatically mount during a system boot.

No comments »